Recently, along with the popularization of cloud computing, data of a user is stored in a calculation resource that is connected to a network, and service based on the data has been spreading rapidly. In such service, an opportunity to deal with sensitive data of the user has been increased. Therefore, it is important to guarantee the safe management of the data on the user. Under such an environment, research and development of a technology, that enables to manage that data in encrypted state in an open network environment, and execute a search, a statistics processing and the like by using the data without decryption, has been performed actively.
In addition, recently, a crime, which exploits the vulnerability of personal authentication such like using a password or a magnetic card, occurs frequently. Therefore, a biometric identification technology having further high safety based on a biometric feature, such as a fingerprint and vein, attracts considerable attention. In the biometric identification, in order to verify authentication information, it is necessary to store a template related to biological information in a database (DB). The biological information such the fingerprint and vein is data that is basically not changed through the lifetime. If the biological information is leaked, serious damage occurs by the leakage of the information. Therefore, the biological information is information for which the confidentiality is required the most. Thus, it is necessary to prevent impersonation even if the template is leaked.
Thus, a biometric identification technology which protects templates (a template protection type biometric identification technology), in which the authentication is performed while template information remains concealed, has become important.
For example, in Patent literature 1, a method is disclosed in which biometric identification is performed using, as a template, data that is obtained by representing fingerprint data as points on a polynomial expression, adding random points to the points, and concealing the fingerprint data.
However, in the above-described method disclosed in Patent literature 1, it is known that there is a problem whether or not the biological information is protected with sufficient strength when the biometric identification is repeated plural times.
In Non-Patent literature 1, a method is disclosed in which biological information is protected by masking a template that is stored in a DB through a random Bose-Chaudhuri-Hocquenghem (BCH) code word. In the technology disclosed in Non-Patent literature 1, a biometric identification template is generated using biological information Z and confidential information S. FIG. 5 is a diagram based on FIG. 2 of Non-Patent literature 1, and the feature extraction, statistical analysis, quantization, and the like in FIG. 2 of Non-Patent literature 1 are omitted. The enrollment of a template is performed as follows.
(1) The confidential information S is input to an encoder (ENC). The ENC performs error correcting coding (ECC) on the confidential information S, and generates a code word C. A binary BCH code of parameters (K, s, and d) is used as the ECC. “K” indicates the length of the code word, and “s” indicates the number of information symbols, and “d” indicates the number of correctable errors.
(2) An XOR (exclusive OR) between “C” and “Z”, that is, “W2=C(+)Z” is calculated (hereinafter, the symbol “(+)” indicates bitwise XOR).
(3) “S” is input to a cryptographic (one-way) hash function H, such as a secure hash algorithm (SHA)-1 or the like, and the hash value H(S) is calculated.
(4) “W2” and “H(S)” are stored in a DB as template information.
The verification of whether or not the template, that has been generated as described in (1) to (4), and the other biological information Z′, are obtained from an identical person, is performed as follows.
(1) The XOR between “Z′” and “W2”, that is, “C′=W2(+)Z′=C(+)(Z(+)Z′)” is calculated.
(2) “C” is input to a decoder (DEC), and error-correcting decoding of the BCH code is performed to calculate “S”.
(3) “5” is input to the cryptographic (one-way) hash function H, such as the SHA-1 or the like, to calculate a hash value H(S′).
(4) “H(S)” is read from the DB, and it is verified whether or not “H(S)=H(S′)” is satisfied. When “H(S)=H(S′)” is satisfied, it is determined that the template and the biological information Z′ are obtained from an identical person. When “H(S)=H(S′)” is not satisfied, it is determined that the template and the biological information Z′ are respectively obtained from different persons.
The method illustrated in FIG. 5 does not depend on the obtaining method of the biological information Z. Therefore, generally, the method illustrated in FIG. 5 may be regarded as a method that verifies whether or not the encrypted data is generated by encrypting a plaintext of which distance to presented data is in certain distance.